What’s our Policy on That?

February 11th, 2012 Comments off

Companies of all sizes continue to struggle with information security policies or other rules designed to help protect their information. In 30 years of information security practice some issues come up time and time again that contribute to the problem of inadequate information security policies. While few would argue the need to have actual policies about information security, often that’s where agreement stops. The concept of having policies, defining policies and enforcing them is often more than a little controversial for many companies.

Most information security policies evolved out of the old familiar “do’s and don’ts” set of rules.  Often times the do’s and don’ts were the least controversial of policies and included such things as guidance on what not to say in an e-mail, how to handle confidential company information, what usage of the Internet is permissible, and so forth. Too often the do’s and don’ts policy was a clone of a year’s earlier article in an HR manager journal and has received almost no attention since then.  Companies often lack the resolve to use the do’s and don’ts policy as a basis for disciplinary measures of any kind, let alone as the basis for termination.  However, the one thing the do’s and don’ts policy did enable everyone to do was to righteously claim, “yes, Boss, we do have an information security policy.”

Read more…

RIM or Precipice

October 31st, 2011 Comments off

News of RIM’s apologies concerning the multiple-day outage of its services beginning Saturday morning October 8 illustrates a very important point. At the retail level it may be okay to remain silent or mumble about the circumstances of an outage (as my cell provider did in this case).  However, when dealing with enterprises which purchase services in mass quantities as part of a broader strategy of delivering services to their customers through a well-equipped employee base the reverse is true.  RIM had remained silent for five days about the details, causes – and most importantly – the estimates for remediation of this outage. This is inexcusable for anyone offering an enterprise class product. Read more…

The Changing Nature of Incident Response: Part 3

October 30th, 2011 Comments off
The ultimate test of the value of an incident response team is how that team handles crises. Crises are generally not everyday occurrences. In fact, most issues with which an incident response team must deal are not of a bona fide emergency nature. That is why from the very onset of computer incident response teams I have objected to any incident response team name that includes “emergency” or “crisis” in it, because these terms represent little more than massive embellishment of the true nature of most of their activities.

Read more…

Categories: Network Security Tags:

The Changing Nature of Incident Response: Part 2

October 26th, 2011 Comments off
Perhaps the biggest single step in the life cycle of an incident response team is going operational. The major problem with getting the Department of Energy’s incident response team operational was that there was nothing–no policies, no standards, and virtually no procedures concerning incident response at that time. The CERT/CC team claimed that it was operational at that time, but if that were true, there would have been some kind of indication that operations were taking place, and there was no indication whatsoever. One of the best ways that my management ever helped at that time was to inform me of other emergency response teams and to try to get me in touch with people who managed such efforts. One such team was the Nuclear Energy Search Team (NEST) at Lawrence Livermore National Laboratory. Discussions with the manager and some of the more senior staff members of this team helped me better understand the kind of procedures that would have to be performed, the kinds of communication that would have to occur, and how action priorities would have to be determined. Still, the nuclear arena is not all that closely aligned with the information security arena, and after I was finished meeting with NEST members I developed a kind of sinking feeling that there was much more to do than I had ever imagined. And at the time the team I managed consisted only of myself.

Read more…

Categories: Network Security Tags:

The Changing Nature of Incident Response: Part 1

October 22nd, 2011 Comments off
I’ve been affiliated with incident response in one way or another since 1988. I am not saying this boastfully, as I’ve made many mistakes both in responding to incidents technically and in managing incident response efforts. At the same time, however, when I first entered the incident response arena, there were no policies, standards, and procedures, and not really any requirements, either, to guide incident response efforts. Everyone who played in this arena originally had to use a combination of intuition and learning from mistakes just to get by.

Read more…

Categories: Network Security Tags:

To Share or Not to Share, That Is the Question

October 18th, 2011 Comments off
The Obama Administration (and in particular the U.S. State Department) continues to take the heat for the massive leakage of U.S. government documents courtesy of WikiLeaks (and allegedly originally because of the actions of PFC Bradley Manning). The volume of vitriol directed at President Obama and Security of State Hillary Clinton is astounding; members of the information security community have contributed more than their fair share of it. How could the U.S. government, they say, have been so negligent regarding access control that even a lowly private in the U.S. Army could allegedly gain access to these documents?

Read more…

Categories: Network Security Tags:

A DLP Success Story

October 14th, 2011 Comments off
Those of us who are information security professionals know all too well that success stories in our arena are too few and far between. When we hear of one, we thus need to savor the moment. This kind of moment recently occurred within Nationwide Insurance, which not too long ago had implemented a data loss prevention (DLP) tool enterprise-wide. The DLP tool issued an alert that a Nationwide employee had sent a spreadsheet from his personal email account to his Nationwide email account. A follow-up investigation revealed that the spreadsheet contained information such as credit card numbers, Pay Pal and eBay account names, and bogus identity information, prompting an investigation by Nationwide officials who contacted law enforcement soon afterwards. The FBI Cybercrime Task Force and the U.S. Postal Inspection Service launched an investigation and ultimately determined that Bi was copying computer games to CDs and then selling the CDs for a greatly reduced price. Between 2005 and late 2009, Bi sold more than 35,000 copies valued at $700,000 on eBay and using the eBay and Pay Pal account names he had stolen as well as his own account.

Read more…

Categories: Network Security Tags:

2011: A Better Year for Information Security?

October 10th, 2011 Comments off
The year 2010 is behind us; a new year is beginning. Last year will not go down in history as a particularly good year from an information security perspective. Attacks funded and initiated by countries (particularly the Peoples Republic of China) continued to occur frequently. So many denial of service (DoS) attacks came from China that domain name registrars began to distance themselves from entities in this country. The Stuxnet worm, which surfaced last year, proved for the first time that a virus or worm could actually cause physical damage to SCADA systems and, unfortunately, was almost certainly only the harbinger of a new, more formidable generation of malware. Data security breaches continued to occur at an astounding rate, as exemplified by recent statistics from the Privacy Rights Clearinghouse–nearly 600,000,000 pieces of personally identifiable information have fallen into unauthorized hands since this organization began counting in 2005. No one could have guessed the amount of information leaked to the wikileaks.org Web site, allegedly because of the actions of Private Bradley Manning of the US Army. And nobody would have imagined the ferocity of the DoS attacks that wikileaks supporters launched against Visa, MasterCard, and other credit card companies after these companies quit allowing their credit cards to be used for contributions to wikileaks. U.S. Government security efforts continued to flounder haplessly, and no major federal cybersecurity-related legislation was passed in the U.S. last year. Efforts to get a global treaty on cybercrime in place failed. Crime rings operating in Eastern Europe, Brazil, and elsewhere continued to rake in large amounts of money through a plethora of computer crime methods.

Read more…

Categories: Network Security Tags: